Europe
- European Guidance on AI and Data Protection.
European regulators have issued comprehensive guidelines advising companies on how to develop and deploy AI systems in accordance with the GDPR. Notable guidelines include:
- The French CNIL’s Guidelines on AI and Data Protection cover how developers of AI systems should build AI systems in accordance with the GDPR, such as recommending ways to determine the legal basis for processing, ensuring that the re-use of data is lawful, etc.
- Germany’s DSK Guidance on AI and Data Protection is aimed primarily at deployers, not developers. According to the guidelines, deployers must identify the application of the AI system and the purposes it will serve, gives various recommendations on how to properly implement the system, and highlights the importance of handling inputs and outputs with personal data with extra care.
- The UK ICO Guidance on Generative AI and Data Protection explains how to form a legal basis for web-scraping to train AI models, discusses how to maintain the accuracy of personal data when it is processed and entered into output by an AI model, and how to maintain the rights of individuals when processing personal data with an AI system. Please note that as the data protection authority of the UK, the ICO’s guidance is intended to aid compliance with the UK GDPR specifically.
US
Following the “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”, the United States Patent and Trademark Office issued guidance on inventorship for AI-assisted inventions. While the guidance clarifies that inventors must be natural persons, it determines that AI-assisted inventions are not automatically unpatentable. It clarifies that patent protection is available if a human has significantly contributed to the invention and provides guidance on how to determine such contribution.
In April 2024, the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation introduced the American Privacy Rights Act (“APPA“), aiming to consolidate various state privacy laws into a unified federal framework. Several obligations within the APPA apply to regulated entities using a “covered algorithm,” defined as a computational process that makes a decision or facilitates human decision-making by using covered data. Key requirements for such regulated entities include, among others, (i) conducting regular impact assessments for regulated entities that are large data holders and using the covered algorithm in a manner that poses a consequential risk of harm; (ii) conducting an algorithm design evaluation; and (iii) notifying the individual subject to of use of the covered algorithm and providing an opt-out mechanism where the covered algorithm makes a consequential decision.
As a first of its kind in the US, Colorado enacted the Regulation on Consumer Protections for Artificial Intelligence, which will take effect in February 2026. The law governs high-risk AI systems making consequential decisions about key services. Under this regulation, developers and deployers of high-risk AI systems are required to exercise reasonable care to protect consumers from algorithmic discrimination and are required to disclose to consumers that they are interacting with an AI system, where applicable. The Act lists procedures that, if followed, grant the deployer the presumption of compliance with certain requirements.
In May 2024, the US Senate AI Working Group released its AI Policy Roadmap, recommending legislation to ban AI social scoring, promote transparency in AI used for medical services and products, ensure explainability and disclosure for public-facing AI systems, and protect unauthorized use of personal attributes by AI. Some of these protections were already enacted in states, for instance in Tennessee.
The NIST released four policy documents related to AI systems. The Artificial Intelligence Risk Management Frameworkaddresses 12 generative AI challenges, proposing action items for risk management, Secure Software Development Practices for Generative AI guides AI model and system producers on development practices, Reducing Risks Posed by Synthetic Content document outlines standards for verifying, marking, and updating AI-generated content, A Plan for Global Engagement on AI Standards sets forth a strategy for advancing global AI standards for all industry stakeholders.
Amidst accelerated adoption of AI by consumers and businesses, in April 2024 the Massachusetts Attorney General published an advisory addressing the application of general consumer protection and data protection state laws to AI. The advisory recognized that while AI holds many benefits to society, it also poses serious risks to consumers such as bias, lack of transparency, or implications to data protection. To address these issues, it clarified that existing consumer protection and data protection laws also extend to AI systems. Specifically, this includes prohibitions against “unfair and deceptive” practices, which in the context of AI, encompass activities such as deep-fakes and the false advertising of AI system capabilities.
In March 2024, Tennessee enacted the “Ensuring Likeness, Voice, and Image Security Act”, taking effect in July 2024. The Act aims to protect artists from unauthorized use of their works by AI amidst multiple lawsuits filed against AI companies in the US, alleging that intellectual rights were infringed as protected works were used to train AI models. In a related effort, Congress advanced a bill aimed at accelerating the development of standards for identifying and labeling AI-generated audio or visual content.
To function effectively, AI systems need extensive datasets. AI developers frequently gather information from customers who use their services to meet this demand. A bill proposed in March 2024 addresses the use of personal data by businesses for training of AI models and/or selling this data to third parties without securing consent. The bill mandates that businesses intending to use or sell customer-provided data must offer clear disclosures about how this data will be utilized. Additionally, they must obtain explicit consumer consent for such use, on an “opt-in” basis, which consumers can revoke at any time. The bill asserts that businesses failing to adhere to these requirements will be deemed to have engaged in unfair or deceptive practices and subject to enforcement by the Federal Trade Commission.
____________________
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.